VPN revocation error?

Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
I have managed to successfully configure a SSTP VPN connection on my internal client PC, but only through registry fixes. I keep getting this error relating to checking to see if the server has been revoked.......
"The revocation function was unable to check revocation because the revocation server was offline."

I've gone onto revoked certificates in my CA and clicked on publish and created a new CRL but the clients are not getting it or its not working somehow. Any idea as to how i can fix this?

Update: I have noticed that on the certificates I’m using only LDAP is being used as a method of retrieving the CRL. I dont mind this anyway because i'm not interested in HTTP at the moment, i just dont know why the domain joined users and computers cannot find the CDP through LDAP?

7689d1459817054t-vpn-revocation-error-ldap.jpg
ldap:///CN=JEDI-CA,CN=Jedi,CN=CDP,CDP=Public Key Services,CN=Services,CN=Configuration,DC=starwars, DC=com?certificateRevocationList?base?objectClass= cRLDistributionPoint

^^^ That is the LDAP directory on the certificate

Comments

  • BornToBeMildBornToBeMild Member Posts: 69 ■■□□□□□□□□
    You've got all the elements of the answer there -

    your CRL is published to your AD, and accessible via LDAP to authenticated clients on your internal network.Your client is attempting a VPN connection, so currently is neither authenticated to AD or on your internal network.

    So you need a way for external clients to access your CRL before the VPN authenticates them. HTTP on an external website.
  • Robbo777Robbo777 Member Posts: 331 ■■■□□□□□□□
    You've got all the elements of the answer there -

    your CRL is published to your AD, and accessible via LDAP to authenticated clients on your internal network.Your client is attempting a VPN connection, so currently is neither authenticated to AD or on your internal network.

    So you need a way for external clients to access your CRL before the VPN authenticates them. HTTP on an external website.

    But i'm using a domain joined PC to use the VPN to start it with, so shouldn't it be able to access the CRL via LDAP plus i've created an additional add on extension for the CA for the CDP here

    So wont the new certificates i'm creating have these addresses in it to! But it still hasn't worked?
    I really really REALLY need help with this because its driving me mad! I will actually pay someone to try and get me to understand this!!! I have had this working on the domain joined client machine when i told the registry not to check the CRL! Again, this is a domain joined machine that i'm trying this on so shouldn't it be able to query the LDAP server anyway, even if it isnt then why isn't the CDP on the certificate not working for the client, i have actually entered the URL into the clients machine and they're able to download the CRL manually...strange! There are no certificates on my hyper V client machine that i'm trying this on except for the root CA certificate.
Sign In or Register to comment.